Priorities of security CDI interceptors

[sberyozkin]

Michal explained in the quarkus-langchain4j PR discussion that currently, these security and activate request context CDI interceptors have the following priorities:

• StandardSecurityCheckInterceptor has a priority PLATFORM_BEFORE
• Quarkus Security security interceptors supporting @Authenticated and other annotations have a LIBRARY_BEFORE priority.
• ActivateRequestContextInterceptor has a priority PLATFORM_BEFORE + 100

Does it make sense to get ActivateRequestContextInterceptor running for example at LIBRARY_BEFORE - 1, so that users can add for example @ActivateRequestContext, alongside @Authenticated, on random beans, not only on JAX-RS resources ?

Michal also explained that it won't really help if the RequestContext was already terminated since @ActivateRequestContext will miss out on the authenticated SecurityIdentity from the terminated context, so perhaps it does not make sense to pursue it.

[michalvavrik]

My POV is that StandardSecurityCheckInterceptor priority was set to PLATFORM_BEFORE because:

• I wanted it to run before AuthenticatedInterceptor (and others) that has LIBRARY_BEFORE
• I didn't realize disadvantages till I saw your stacktrace related to the ActivateRequestContextInterceptor not running
• I didn't expect that StandardSecurityCheckInterceptor actually needs the CDI request context till I saw the stacktrace as it's only clear from Quarkus REST internals

So fixing the priority makes sense to me. Nevertheless as you mentioned, it's not very useful anyway.